Created nginx-config-file-templates

2022-10-21 08:33:08 +02:00
parent 7453f1e616
commit bb3d363094
6 changed files with 71 additions and 104 deletions
--- a/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf
+++ b/netmaker_server/files/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf
@@ -1,24 +0,0 @@
-stream{
-    map $ssl_preread_server_name $name {
-        hostnames;  # Use hostnames as map?
-
-        netmaker-ui.*   127.0.0.1:8443;
-        netmaker-api.*  127.0.0.1:8443;
-
-        netmaker-broker.*   mosquitto:8883; # todo: tls-terminate?
-
-        netmaker-rqlite-http.*    127.0.0.1:8443;
-        netmaker-rqlite-cluster.*   rqlite:4002;
-
-        default         127.0.0.1:1;
-    }
-
-    server {
-        resolver 127.0.0.11; # Explicitly set docker-resolver
-        
-        listen      443;
-        ssl_preread on;
-
-        proxy_pass  $name;
-    }
-}
--- a/netmaker_server/tasks/nginx.yml
+++ b/netmaker_server/tasks/nginx.yml
@@ -1,3 +1,11 @@
+- name: Deploy nginx configs
+  template:
+    src: "{{item.src}}"
+    dest: "{{item.dst}}"
+  loop:
+    - { src: 'nginx/proxy.conf.template',       dst: '/opt/netmaker_server/nginx/conf/conf.d/proxy.conf' }
+    - { src: 'nginx/passthrough.conf.template', dst: '/opt/netmaker_server/nginx/conf/stream.d/passthrough.conf' }
+
 - name: Start nginx service
  command: "docker-compose --project-directory /opt/netmaker_server/ up -d nginx"
  register: command
--- a/netmaker_server/templates/docker-compose.yml.template
+++ b/netmaker_server/templates/docker-compose.yml.template
@@ -10,7 +10,7 @@ services:
      - ./nginx/conf/stream.d/:/etc/nginx/stream.d:ro  # conf.d
      - ./certs:/certs:ro # SSL-certificates
    ports:
-      - 51820:443
+      - {{ netmaker_nginx.tls_port }}:443

  rqlite: # Distributed sqlite-db
    image: rqlite/rqlite
@@ -20,14 +20,11 @@ services:
      - "./rqlite/data:/rqlite/file"
      - "./rqlite/config.json:/config.json:ro"
      - "./certs:/certs:ro"
-    # FIXME: "node-no-verify" Skipping certificate verification is bad!
-    #-http-ca-cert /certs/ca.crt
-    #-http-cert    /certs/node.crt
-    #-http-key     /certs/node.key
+      - ./certs/ca.crt:/etc/ssl/certs/netmaker-ca.pem:ro  # Add CA to system-trust-store
    command: "
-    -http-adv-addr netmaker-rqlite-http.{{ ansible_facts.nodename }}:51820
+    -http-adv-addr {{  netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}:{{ netmaker_nginx.advertise_port }}
    -raft-addr     [::]:4002
-    -raft-adv-addr netmaker-rqlite-cluster.{{ ansible_facts.nodename }}:51820
+    -raft-adv-addr {{  netmaker_rqlite.cluster_host }}.{{ ansible_facts.nodename }}:{{ netmaker_nginx.advertise_port }}

    -http-ca-cert /certs/ca.crt

@@ -41,7 +38,7 @@ services:

 {% if inventory_hostname != groups['netmaker'][0] %}
    -join-as  netmaker
-    -join     https://netmaker-rqlite-http.{{ groups['netmaker'][0] }}:51820
+    -join     https://{{  netmaker_rqlite.http_host }}.{{ groups['netmaker'][0] }}:{{ netmaker_nginx.advertise_port }}
 {% endif %}
    "
    # FIXME: /\ \/ Change http -> https
@@ -63,17 +60,18 @@ services:
    volumes: # Volume mounts necessary for sql, coredns, and mqtt
      - ./dnsconfig/:/root/config/dnsconfig
      - ./mosquitto/data/:/etc/netmaker/
+      - ./certs/ca.crt:/etc/ssl/certs/netmaker-ca.pem:ro  # Add CA to system-trust-store
    hostname: "{{ ansible_facts.nodename }}"
    environment: # Necessary capabilities to set iptables when running in container
      NODE_ID: "{{ ansible_facts.nodename }}"
-      MASTER_KEY: "{{ netmaker.master_key }}" # The admin master key for accessing the API. Change this in any production installation.
+      MASTER_KEY: "{{ netmaker_creds.master_key }}" # The admin master key for accessing the API. Change this in any production installation.

-{% if not private_ipv4_address and not netmaker.dynamicIp %}
+{% if not private_ipv4_address and not netmaker_dynamicIp %}
      SERVER_HOST: "{{ ansible_facts.default_ipv4.address }}" # Set to public IP of machine.
 {% endif %}
-      SERVER_NAME: "netmaker-broker.{{ netmaker.base_domain }}" # The domain/host IP indicating the mq broker address
-      SERVER_HTTP_HOST: "netmaker-api.{{ netmaker.base_domain }}" # Overrides SERVER_HOST if set. Useful for making HTTP available via different interfaces/networks.
-      SERVER_API_CONN_STRING: "netmaker-api.{{ netmaker.base_domain }}:8081"
+      SERVER_NAME: "{{  netmaker_broker.tls_host }}.{{ netmaker_base_domain }}" # The domain/host IP indicating the mq broker address
+      SERVER_HTTP_HOST: "{{  netmaker_api.host }}.{{ netmaker_base_domain }}" # Overrides SERVER_HOST if set. Useful for making HTTP available via different interfaces/networks.
+      SERVER_API_CONN_STRING: "{{  netmaker_api.host }}.{{ netmaker_base_domain }}:{{ netmaker_nginx.advertise_port }}"

      DISABLE_REMOTE_IP_CHECK: "off" # If turned "on", Server will not set Host based on remote IP check. This is already overridden if SERVER_HOST is set. Turned "off" by default.
      DNS_MODE: "off" # Enables DNS Mode, meaning all nodes will set hosts file for private dns settings.
@@ -85,32 +83,28 @@ services:
      DISPLAY_KEYS: "on" # Show keys permanently in UI (until deleted) as opposed to 1-time display.
      
      DATABASE: "rqlite"
-      SQL_CONN: "http://netmaker:{{ netmaker.rqlite_password }}@rqlite:4001/"
+      SQL_CONN: "https://netmaker:{{ netmaker_creds.rqlite_password }}@{{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}:{{ netmaker_nginx.advertise_port }}/"

-      MQ_HOST: "mosquitto"  # the address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address. If using "host networking", it will find and detect the IP of the mq container.
-      MQ_SERVER_PORT: "1883" # the reachable port of MQ by the server - change if internal MQ port changes (or use external port if MQ is not on the same machine)
-      MQ_PORT: "51820" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose)
-      MQ_ADMIN_PASSWORD: "{{ netmaker.mq_admin_password }}"
+      MQ_HOST: "mosquitto"    # the address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address. If using "host networking", it will find and detect the IP of the mq container.
+      MQ_SERVER_PORT: "1883"  # the reachable port of MQ by the server - change if internal MQ port changes (or use external port if MQ is not on the same machine)
+      MQ_PORT: "{{ netmaker_nginx.advertise_port }}" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose)
+      MQ_ADMIN_PASSWORD: "{{ netmaker_creds.mq_admin_password }}"
      
      HOST_NETWORK: "off" # whether or not host networking is turned on. Only turn on if configured for host networking (see docker-compose.hostnetwork.yml). Will set host-level settings like iptables.
      PORT_FORWARD_SERVICES: "" # decide which services to port forward ("dns","ssh", or "mq")

      # this section is for OAuth
-      AUTH_PROVIDER: "" # "<azure-ad|github|google|oidc>"
-      CLIENT_ID: "" # "<client id of your oauth provider>"
-      CLIENT_SECRET: "" # "<client secret of your oauth provider>"
-      FRONTEND_URL: "" # "https://dashboard.<netmaker base domain>"
-      AZURE_TENANT: "" # "<only for azure, you may optionally specify the tenant for the OAuth>"
-      OIDC_ISSUER: "" # https://oidc.yourprovider.com - URL of oidc provider
+      AUTH_PROVIDER: ""   # "<azure-ad|github|google|oidc>"
+      CLIENT_ID: ""       # "<client id of your oauth provider>"
+      CLIENT_SECRET: ""   # "<client secret of your oauth provider>"
+      FRONTEND_URL: ""    # "https://dashboard.<netmaker base domain>"
+      AZURE_TENANT: ""    # "<only for azure, you may optionally specify the tenant for the OAuth>"
+      OIDC_ISSUER: ""     # https://oidc.yourprovider.com - URL of oidc provider
      
      VERBOSITY: "1" # logging verbosity level - 1, 2, or 3
      TELEMETRY: "off" # Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry.
    ports:
      - "51821-51830:51821-51830/udp" # wireguard ports
-{#     labels: # only for use with traefik proxy (default)
-      - traefik.enable=true
-      - traefik.http.routers.netmaker-api.rule=Host(`netmaker-api.{{ netmaker.base_domain }}`)
-      - traefik.http.services.netmaker-api.loadbalancer.server.port=8081 #}

  netmaker-ui:  # The Netmaker UI Component
    image: gravitl/netmaker-ui:v0.16.1
@@ -120,28 +114,7 @@ services:
      - "netmaker:api"
    restart: unless-stopped
    environment:
-      #BACKEND_URL: "http://netmaker-api.{{ netmaker.base_domain }}:8081" # URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT
-      BACKEND_URL: "http://tranio.ruekov.eu:8081"
-{#     labels:
-      - traefik.enable=true
-      - traefik.http.middlewares.nmui-security.headers.accessControlAllowOriginList=netmaker-dashboard.{{ netmaker.base_domain }}
-      - traefik.http.middlewares.nmui-security.headers.stsSeconds=31536000
-      - traefik.http.middlewares.nmui-security.headers.browserXssFilter=true
-      - traefik.http.middlewares.nmui-security.headers.customFrameOptionsValue=SAMEORIGIN
-      - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.X-Robots-Tag=none
-      - traefik.http.middlewares.nmui-security.headers.customResponseHeaders.Server= # Remove the server name
-      - traefik.http.routers.netmaker-ui.middlewares=nmui-security@docker
-      - traefik.http.routers.netmaker-ui.rule=Host(`netmaker-dashboard.{{ netmaker.base_domain }}`)
-      - traefik.http.services.netmaker-ui.loadbalancer.server.port=80 #}
-
-  {#  coredns: # The DNS Server. CoreDNS can be removed unless doing special advanced use cases
-     image: coredns/coredns
-     command: -conf /root/dnsconfig/Corefile
-     depends_on:
-       - netmaker
-     restart: unless-stopped
-     volumes:
-       - ./dnsconfig/:/root/dnsconfig #}
+      BACKEND_URL: "https://{{ netmaker_api.host }}.{{ netmaker_base_domain }}:{{ netmaker_nginx.advertise_port }}" # URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT

  mosquitto: # the MQTT broker for netmaker
    image: eclipse-mosquitto:2.0.11-openssl
@@ -155,28 +128,3 @@ services:
    command: ["/mosquitto/config/wait.sh"]
    environment:
      NETMAKER_SERVER_HOST: "http://netmaker:8081"
-{#     labels:
-      - traefik.enable=true
-      - traefik.tcp.routers.mqtts.rule=HostSNI(`netmaker-broker.{{ netmaker.base_domain }}`)
-      - traefik.tcp.routers.mqtts.tls.passthrough=true
-      - traefik.tcp.services.mqtts-svc.loadbalancer.server.port=8883 #}
-
-  {# traefik: # the default proxy - can be replaced with caddy or nginx, but requires careful configuration
-    image: traefik:v2.6
-    command:
-      - "--certificatesresolvers.http.acme.email=YOUR_EMAIL"
-      - "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json"
-      - "--certificatesresolvers.http.acme.tlschallenge=true"
-      - "--entrypoints.websecure.address=:443"
-      - "--entrypoints.websecure.http.tls=true"
-      - "--entrypoints.websecure.http.tls.certResolver=http"
-      - "--log.level=INFO"
-      - "--providers.docker=true"
-      - "--providers.docker.exposedByDefault=false"
-      - "--serverstransport.insecureskipverify=true"
-    restart: unless-stopped
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - traefik_certs:/letsencrypt
-    ports:
-      - "443:443" #}
--- a/netmaker_server/templates/nginx/passthrough.conf.template
+++ b/netmaker_server/templates/nginx/passthrough.conf.template
@@ -0,0 +1,34 @@
+stream{
+    # Map target-hosts based on hostname
+    map $ssl_preread_server_name $target_host {
+        hostnames;  # Enable matching including prefix/suffix-mask
+
+        {{ netmaker_ui.host }}.{{ netmaker_base_domain }}   127.0.0.1:8443;
+        {{ netmaker_api.host }}.{{ netmaker_base_domain }}  127.0.0.1:8443;
+
+        {{ netmaker_broker.tls_host }}.{{ netmaker_base_domain }}   mosquitto:8883; # todo: tls-terminate?
+
+        {{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}    127.0.0.1:8443;
+        {{ netmaker_rqlite.cluster_host }}.{{ ansible_facts.nodename }}   rqlite:4002;
+
+        default         127.0.0.1:1;
+    }
+
+    # Enable Proxy-Protocol for local calls
+    map $target_host $proxy_protocol_enabled { 
+        hostnames;
+
+        127.0.0.1*      on;
+        default         off;
+    }
+
+    server {
+        resolver 127.0.0.11; # Explicitly set docker-resolver
+        
+        listen      443;
+        ssl_preread on;
+
+        proxy_protocol $proxy_protocol_enabled;
+        proxy_pass  $name;
+    }
+}
--- a/netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf
+++ b/netmaker_server/files/opt/netmaker_server/nginx/conf/conf.d/proxy.conf
@@ -1,9 +1,10 @@
 map $host    $proxy_name {
    hostnames;
    
-    netmaker-ui.*   netmaker-ui:80;
-    netmaker-api.*  netmaker:80;
-    netmaker-rqlite-http.*  rqlite:4001;
+    {{ netmaker_ui.host }}.{{ netmaker_base_domain }}               netmaker-ui:80;
+    {{ netmaker_api.host }}.{{ netmaker_base_domain }}              netmaker:8081;
+    
+    {{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}    rqlite:4001;

    default         444;
 }
@@ -11,7 +12,7 @@ map $host    $proxy_name {
 server {
    resolver 127.0.0.11; # Explicitly set docker-resolver

-    listen 8443 ssl;
+    listen 8443 ssl proxy_protocol;

    ssl_certificate /certs/node.crt;
    ssl_certificate_key /certs/node.key;
--- a/netmaker_server/templates/rqlite-config.json.template
+++ b/netmaker_server/templates/rqlite-config.json.template
@@ -1,5 +1,5 @@
 [{
    "username": "netmaker",
-    "password": "{{ netmaker.rqlite_password }}",
+    "password": "{{ netmaker_creds.rqlite_password }}",
    "perms": ["all"]
 }]